Keeping Track of All Avenues of Attack

By Don Reisinger |
Posted 2009-11-19

10 Lessons Google Must Learn About OS Security

Much has been made of Google's
intentions in the operating system space. The company has made it clear
that it wants its products to be used on netbooks. It wants to be the first
major company to deliver an online operating system that can compete with the
likes of Windows 7 Starter Edition and Linux distributions. But is Google
really prepared for the challenges that await it? Creating and maintaining an
operating system is a dirty business. It takes a lot of effort and
understanding of what malware producers are trying to do.

Realizing that, Google needs to be prepared. It needs to understand that how
well it secures the online world means nothing when it comes to operating
system security. Sure, its creation will be an online OS, which makes
it a little different from Windows or Mac OS X, but the basic premise
remains: Malicious hackers want to take control over operating systems for
their own financial gain. It's sad, but true.

That's why Google must learn some basic lessons if it wants to be successful in
the OS space. Here are some lessons that Google will definitely need to face:

1. Malicious hackers want in

The first lesson Google must learn is that malicious hackers want to hit as
many computers and their users as possible. For the most part, that has meant
that they've focused their time on Windows. But as Mac OS X gains in
popularity, they have switched gears to also target Apple's operating system.
Given the
hype and fanfare that will undoubtedly surround Chrome OS, it's not beyond
the realm of possibility for Google to have to face many more malicious hackers
than it might expect. They want in. There's no doubt about it.
2. Users need all the help they can get

When it comes to operating system security, some of the blame can be placed
on users. They click on attachments they shouldn't, they open links to unknown
places and much more. Realizing that, Google needs to do what Microsoft and
Apple have done and make Chrome OS as simple as possible. Important security
matters should be handled by the software. Users simply can't be trusted to
make the right decisions.
3. Nothing is totally secure

Google should also realize that it's a major target. The hacker community
is not fond of Google. The community considers Google, like Microsoft, to be a
major target that it wants to take down. So far, hackers haven't been all that
successful with the company's search and online products. But that could all
change when Google attempts to maintain security on an operating system. Watch
out, Google.

Keeping Track of All Avenues of Attack

5. Online is the new frontier

The hacker community is also fully aware that the future is in the cloud.
It might be able to make boatloads of cash exploiting desktops today, but soon,
all the money will be made online. We've seen a change in focus over the past
few years as more hackers have targeted e-mail, social networks and other
online sites. Chrome OS falls right in line with that.
6. Open source is great, but not totally secure

Chrome
OS may be open source, but that doesn't mean that Google shouldn't worry.
Open-source software has been the victim of major attacks on various occasions.
To believe that open-source software will be able to fend off sophisticated
attacks from determined hackers who reallywant to break into an
operating system is ludicrous. Yes, an open-source approach might help Google
patch holes sooner than with closed software, but it won't stop the
exploitation if the software isn't developed well enough.
7. Spoofs, phishing and Web attack tactics

Since Chrome OS is online, Google
will need to be especially concerned about Web attacks, which have quickly
become an easy way for attackers to take control. Now more than ever, hackers
are using spoofed e-mail addresses, phishing attacks, credentialing tricks and
other techniques to exploit users while they feel safe online. Since Chrome OS
is solely in the cloud, malicious hackers might ramp up their efforts in those
areas.
8. Third parties don't care as much as you do about OS security

Attention, Google: Third-party developers won't care nearly as much about
the security of your platform as you do. Microsoft knows that. Apple has made
its operating system extremely closed because of it. Now it's your turn.
Unfortunately, third-party developers create software in many cases that is
riddled with holes that hackers can exploit. That causes a hailstorm of
trouble. Furthermore, such software might take much longer to patch. Be
prepared for third-party holes, Google.
9. What about the hardware?

Another obvious concern is the safety of data on hardware, such as external
hard drives or USB keys. Responding to that concern, Microsoft
added its encryption service, BitLocker, to mobile drives. The software,
called BitLocker To Go, encrypts portable media. Google will also need to
address that problem. More people than ever are bringing important data with
them wherever they go. If Google doesn't make it simple and easy to secure that
data, it can't rely on users to do it. And who knows what could come back in
that USB key?
10. Enterprises care most

If Google wants to be a major player in the operating system market, it
needs to realize that it's the enterprise, not the consumer, that will help it
acquire more market share. And if it wants to capture significant market share,
it will need to satisfy enterprise requirements and concerns, one of which is
increasingly becoming the security of enterprise data. Unless Google can
address that, it will have some serious growing pains as it brings Chrome OS to
market on netbooks (a recent enterprise favorite) and possibly on desktops and
notebooks.